System and method for enhanced network client security

ABSTRACT

Systems are methods for enhanced network client security are described. One aspect of one embodiment of the present invention includes receiving a security-related policy associated with a user, determining a security model associated with the security-related policy, and applying the security model to a network connection on a client device. One aspect of another embodiment of the present invention includes receiving a first measure associated with a usage characteristic, the usage characteristic associated with a user, receiving a second measure associated with the usage characteristic, comparing the first measure and second measure, and determining the likelihood that an unauthorized access has occurred based at least in part on the comparison.

RELATED APPLICATIONS

This application claims priority to Application Ser. No. 60/583,765,filed on Jun. 28, 2004, titled “Controlling Use of a Mobile Work StationBased on Network Environment,” Application Ser. No. 60/598,364, filed onAug. 3, 2004, titled “Systems and Methods for Enhancing and Optimizing aUser's Experience on an Electronic Device,” Application Ser. No.60/652,121, filed on Feb. 11, 2005, titled “Remote Access Services,” andApplication Ser. No. 60/653,411, filed on Feb. 16, 2005, titled“Creating an Environment for Secure Mobile Access Anywhere,” theentirety of all of which are incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to computer networking and, moreparticularly to systems and methods for enhanced network clientsecurity.

BACKGROUND

As the workforce becomes more mobile, enterprises often must provide ameans for their users to connect to the enterprise network remotely.Enterprises and their users have much greater flexibility in selectingmethods of connecting to the enterprise network as well as otherresources, such as the Internet. With this added flexibility comes aconcomitant increase in complexity and risk. Thus, although remoteaccess may be necessary, enterprises may resist providing their userswith remote access.

Each remote method for connecting to an enterprise network opens apotential security hole that might be exploited. For instance, listenerson a network, such as rogue access points, may be able to determine auser's username/password combination for accessing the network. Also,remote users may expose username/password combinations by, for example,writing them on a card affixed to a laptop. Once exposed, unscrupulouspersons may gain access to the username/password combinations and thenlog into an enterprise's systems, posing as the authorized user. Theenterprise typically has limited means to determine that a userutilizing a valid username and password is actually unauthorized.

SUMMARY

Embodiments of the present invention provide systems and methods forenhanced network client security. One aspect of one embodiment of thepresent invention comprises receiving a security-related policyassociated with a user, determining a security model associated with thesecurity-related policy, and applying the security model to a networkconnection on a client device. One aspect of another embodiment of thepresent invention comprises receiving a first measure associated with ausage characteristic, the usage characteristic associated with a user,receiving a second measure associated with the usage characteristic,comparing the first measure and second measure, and determining thelikelihood that an unauthorized access has occurred based at least inpart on the comparison. In another embodiment, a computer-readablemedium (such as, for example random access memory or a computer disk)comprises code for carrying out such methods.

These illustrative embodiments are mentioned not to limit or define theinvention, but to provide examples to aid understanding thereof.Illustrative embodiments are discussed in the Detailed Description, andfurther description of the invention is provided there. Advantagesoffered by the various embodiments of the present invention may befurther understood by examining this specification.

FIGURES

These and other features, aspects, and advantages of the presentinvention are better understood when the following Detailed Descriptionis read with reference to the accompanying drawings, wherein:

FIG. 1 is a block diagram showing an illustrative environment forimplementation of one embodiment of the present invention;

FIG. 2 is a block diagram illustrating the modules present on a clientdevice 102 in one embodiment of the present invention;

FIG. 3 is a block diagram illustrating the modules present on a securityserver 104 in one embodiment of the present invention;

FIG. 4 is a block diagram illustrating the modules present on anenterprise server 106 in one embodiment of the present invention;

FIG. 5 is a flowchart illustrating a process for applying a securitymodel to a network connection in one embodiment of the presentinvention; and

FIG. 6 is a flowchart illustrating a process for statistical attackdetermination in one embodiment of the present invention.

DETAILED DESCRIPTION

Embodiments of the present invention provide systems and methods forenhanced network client security. There are multiple embodiments of thepresent invention. By way of introduction and example, one illustrativeembodiment of the present invention provides a method for centralizedsecurity management. In such an embodiment, an administrator establishesone or more security-related policies.

For instance, the administrator may determine that only client deviceshaving a personal firewall and the latest virus definition files are tobe allowed to connect to the enterprises confidential data via a Wi-Ficonnection. However, only a VPN is required for a dial-up line. Theadministrator establishes the policies in a central policy server. Whena user logs into the enterprise server, the policies are downloaded tothe user's client device.

When the user next attempts to log in to the enterprise server via aWi-Fi connection, a connection manager on the client device generates asecurity model based on the security-related policy. The connectionmanager then applies the connection model to the Wi-Fi connection. Ifthe user does not have an active personal firewall and the latest virusdefinitions, the connection to the enterprise server is broken down. Theuser may still access the enterprise server via other network types,depending on the security model for each of the network types.

The administrator can modify and add policies based on changes toavailable network types, security threats, and other reasons. Thechanges are dynamically applied to the client in a manner that istransparent to the user.

This introduction is given to introduce the reader to the generalsubject matter of the application. By no means is the invention limitedto such subject matter. Illustrative embodiments are described below.

System Architecture

Various systems in accordance with the present invention may beconstructed. Referring now to the drawings in which like numeralsindicate like elements throughout the several figures, FIG. 1 is a blockdiagram showing an illustrative environment for implementation of oneembodiment of the present invention. The system shown in FIG. 1 includesa client 102. The client is in communication with a security server 104.

Communication with the security server 104 occurs via a network 108. Thenetwork 108 may comprise a public or private network and may include theInternet. The network may also comprise a plurality of networks,including, for example, dedicated phone lines between the variouscomponents. In one embodiment, the client 102 communicates with thesecurity server 104 via a virtual private network (“VPN”) establishedover the Internet.

The security server 104 is also in communication with an enterpriseserver 106 via a network. The network 108 may comprise various elements,both wired and wireless. In one embodiment, the communication betweenthe security server 104 and enterprise server 106 occurs over a staticVPN established over dedicated communication lines.

In one embodiment, a user connects a client device 102 to the network108 using a network access user interface. The network access userinterface is always on and only allows the user to connect to thenetwork 108 via the interface. The network access user interfaceautomatically causes the client 102 to connect to the security server104 through the network 108. The security server 104 provides valueadded services to the client 102 and to one or more enterprises. Accessto other services, such as the Internet, may be provided via thesecurity server 104.

Although FIG. 1 includes only a single client 102, security server 104,and enterprise server 106, an embodiment of the present invention willtypically include a plurality of clients 102 and may include a pluralityof security servers 104 and enterprise servers 106.

FIGS. 2 through 4 are block diagrams illustrating components on theclient 102, security server 104, and enterprise server 106. Each of thecomponents shown may be a third-party application, a custom application,or a combination of both. Each of the components may also be implementedin hardware, software, or a combination of hardware and software.

Client Devices

FIG. 2 is a block diagram illustrating the modules present on a clientdevice 102 in one embodiment of the present invention. Examples ofclient device 102 are personal computers, digital assistants, personaldigital assistants, cellular phones, mobile phones, smart phones,pagers, digital tablets, laptop computers, Internet appliances, andother processor-based devices. In general, a client device 102 may beany suitable type of processor-based platform that is connected to thenetwork 108, and that interacts with one or more application programs.The client device 102 can contain a processor coupled to acomputer-readable medium, such as RAM. Client device 102 may operate onany operating system, such as Microsoft® Windows® or Linux. The clientdevice 102 is, for example, a laptop computer executing a network accessuser interface.

The modules shown in FIG. 2 represent functionality of the client 102.The modules may be implemented as one or more computer programs thatinclude one or more modules. For instance, in one embodiment, all themodules shown in FIG. 2 are contained within a single network accessapplication. Also, the functionality shown on the client 102 may beimplemented on a server in other embodiments of the present invention.Likewise, functionality shown in FIGS. 3 and 4 as being on a server maybe implemented on the client 102 in some embodiments of the presentinvention.

The client 102 shown in FIG. 2 comprises a VPN client 202. The VPNclient 202 allows the client 102 to connect to the enterprise server106. In one embodiment of the present invention, the VPN client 202 isused to determine whether or not the VPN client 202 is active andwhether or not the VPN client 202 is connected to a VPN server. Forinstance, an embodiment of the present invention may determine whetheror not to connect to a particular service based on whether or not theVPN client 202 is enabled.

In another embodiment of the present invention, the VPN client 202 isused for four purposes: (1) to manage policy files, which includeinformation, such as a gateway Internet Protocol (IP) address, secrecyand authentication level, and hash; (2) automatically connecting a VPN;(3) automatically disconnecting the VPN; and (4) monitoring the statusof the VPN. Each of these four purposes may be affected by othermodules, including, for example, the connection manager 210.

The client 102 also comprises a secure vault 204. The secure vault 204protects content on the client 102. In one embodiment, the secure vault204 is responsible for storing encrypted content on the client 102 andallowing access to the encrypted content based on a set of permissionsor policies. In such an embodiment, a content creator can provide accessvia a viewer to secured content and allow a recipient of the contentread-only access or allow the recipient to perform other tasks, such asmodifying the content and forwarding it to other users. In anotherembodiment, the secure vault 204 allows the user to create anddistribute secure content to other clients 102, the content creator candecide to send a document to several users and allow two of the usersfull access and one of the users read-only access.

The client 102 shown in FIG. 2 also comprises a firewall 206. Thefirewall 206 allows port blocking via predefined policies. For instance,in one embodiment, an information technology (“IT”) manager specifiesport blocking based on two zones, a safe zone and a dangerous zone. TheIT manager specifies one of these two zones for each of the networkinterface devices installed on the client 102. The IT manager is thenable to set port-blocking rules by zone on the firewall 206.

For example, the IT manager may classify a Wireless Fidelity (“Wi-Fi”)network interface as dangerous since it has traditionally beenconsidered fairly unsafe. And the IT manager may apply more restrictiveport-blocking rules to the dangerous zone than to the safe zone andnetwork interface devices, such as those used to connect to a wiredLocal Area Network (“LAN”) or a Personal Handyphone System (“PHS”)cellular connection. The PHS standard is a TDD-TDMA based microcellularwireless communications technology and has been traditionally consideredrelatively safer than Wi-Fi connections. The PHS cellular connection mayalso be referred to as a wireless wide area network (“WWAN”) as opposedto a dial-up connection providing access to a wide area network (“WAN”).

In various other embodiments, the port-blocking rules of the firewall206 may be based on time of day, client IP address, terminating IPaddress, terminating and originating port, protocol, and othervariables. In one embodiment, the port-blocking rules are based onpolicy data associated with individual users logged into the client 102.

In one embodiment, the port-blocking rules of the firewall 206 include ablacklist. The blacklist allows an IT manager to prevent an applicationfrom executing on the client 102. For instance, an IT manager mayblacklist a DVD player so that a user is unable to view DVD's on theclient 102. The firewall 206 may provide a message to the user informingthe user that an application is unavailable.

In another embodiment, the firewall 206 implements a white list. Thewhite list is somewhat more restrictive than the blacklist describedabove. The white list allows only specified applications to execute. Forexample, an IT manager may allow only MS Word, Excel, PowerPoint, andOutlook to execute. No other applications will be permitted to execute.The firewall 206 may be a custom firewall or a third-party firewallintegrated into an embodiment of the present invention. 100291 Theembodiment shown in FIG. 2 also includes an antivirus module 208. Theantivirus module 208 shown determines whether policy files, virusdictionary, or other virus-related resources are out of date andprovides the client 102 with a mechanism for updating the files or data.The antivirus module 208 may restrict access to various connections,applications, and other functionality when the policy files are out ofdate. For instance, the antivirus module 208 may restrict the client 102to connecting to a single gateway through which the policy files areavailable. In one embodiment, the antivirus module 208 comprises athird-party antivirus product that is integrated with the other moduleson the client 102.

The client 102 also comprises a connection manager 210, which includes arules processor. In one embodiment, the connection manager 210 assigns apriority number to every connection, e.g., one to one hundred, andselects the connection with the highest number to connect to.

The connection manager 210 may provide a connection to a variety ofnetworks, including, for example, dial-up, LAN, digital subscriber line(“DSL”), cable modem, Wi-Fi, wireless local area network (“WLAN”), PHS,and satellite.

In one embodiment, the connection manager 210 differentiates betweenpublic and private connections. A public connection is a connectionprovided by a service provider who has a relationship with theadministrator of the security server 104, which allows the securityserver 104 to authenticate the connection. For instance, the securityserver 104 administrator may have a business arrangement with a hotspotprovider. In order to connect, the client 102 connects to a local accesspoint and the authentication of the user occurs automatically at thesecurity server 104. In contrast, a private connection requires that allaspects of the authentication mechanism for a connection are managed inthe absence of the security server 104, although the connection managermay provide certain facilities to allow for automated authenticationwhere possible.

In one embodiment, the connection manager 210 makes connectionsavailable or unavailable to the client 102 based on policies present onthe client 102. The connection manager 210 may also download changes topolicy data and transmit quality of service (“QoS”) and other data tothe security server 104 or the enterprise server 106.

In one embodiment, the connection manager 210 determines the type ofconnections that are available based on signals provided by hardwareassociated with the client 102. For example, when the client 102 passesnear a hotspot, a Wi-Fi card in the client 102 senses the hotspot andsends a signal to the connection manager 210. For instance, the Wi-Ficard may sense a broadcast service set identifier (“SSID”). Once thesignal exceeds a threshold, the connection manager 210 provides a signalto a user of the client 102 that the network is available or mayautomatically connect to the hotspot. Alternatively, the Wi-Fi card maypoll for a non-broadcast SSID. The connection manager 210 may provide asingle connection to the client 102 at one time or may provide multipleconnections to the client 102.

The client 102 shown in FIG. 2 also comprises a QoS collector 212. TheQoS collector 212 collects data values, including, for example, thenumber of bytes sent and received, the average transfer rate, theaverage signal strength at connection, termination cause, failedconnections, and a network identifier. In another embodiment, the QoScollector 212 collects data during the session to determine when aconnection provides inconsistent performance.

In one embodiment, the QoS collector 212 collects data regarding aconnection during a session but does not send the data for a sessionuntil the next session. Thus, if a session is terminated abnormally, theQoS data will still be collected and transferred successfully. Inanother embodiment, the QoS collector 212 transfers data only when aparticular type of connection is detected, such as a high-speed or lowcost connection.

The client 102 also comprises a session statistics module 214. Thesession statistics module stores data representing user characteristics.For instance, the session statistic module 214 may store a list of theapplications a user generally accesses, how often the user is connected,the typical CPU and memory utilization measure, keyboard sequences, andother characteristics of a user. If a particular user deviates from theexpected characteristics by greater than a threshold, such as N standarddeviations, and the significance of the statistic is more than aspecified amount, the session statistics module 214 can identify thecurrent user as a potential unauthorized user.

The session statistics module 214 may perform other tasks as well. Forinstance, in one embodiment, the session statistics module 214 pre-loadsapplications based on a user's general usage patterns.

The client 102 shown in FIG. 2 also comprises a policy reader 216. Inone embodiment, a company's policies are housed on the enterprise server106. For instance, individual groups and users within an enterprise areidentified and associated with policies, such as what types ofconnections they are able to access and what a user's VPN profile is.The user may also be able to specify a VPN policy on the client 102. Insuch an embodiment, the policy reader 216 downloads the policy rulesfrom the enterprise server 106 and accesses local user policies andreconciles any conflicts between the two.

For example, an IT manager may establish a VPN profile to be used by auser when connecting to a Wi-Fi network. However, the user may wish tocreate a secondary VPN profile to be used if the first VPN becomesunavailable. The policy reader 216 loads both local and enterprise VPNprofiles, resolving any conflict between the two VPN profiles.

In one embodiment, the policy reader 216 accesses data at an enterprise,department, and user level. In such an embodiment, some of the policyrules may be stored in a lightweight directory access protocol (“LDAP”)server on the client 102, security server 104, or enterprise server 106.In another embodiment, the policy reader 216 receives only changes topolicy data and does not typically download all of the policy data atonce. Policies downloaded by the policy reader 216 may be provided tothe rules processor of the connection manager 210.

The client 102 may also comprises a client security module 216. In oneembodiment, the client security module 216 implements a client assetprotection process. When the client security module 216 receives asignal indicating that the client asset protection process is to beexecuted, the client security module 216 may, for example, disabledevices and interfaces on the client device 102 and may, in someembodiments, encrypt the hard drive of the client device 102 so that thefiles stored on the drive are not easily accessible.

The client 102 may also comprise a user interface 220. The userinterface 220 may control the underlying operating environment or theuser's view of the underlying environment. For example, in oneembodiment, the user interface 220 supplants the Microsoft® Windowsoperating system interface from the user's perspective. In other words,the user is unable to access many of the standard Windows features. Sucha user interface may be implemented to limit the applications andconfiguration setting a user is able to access. In some embodiments,such as a personal digital assistant (“PDA”), no user interface isprovided by an embodiment of the present invention; the standard PDAuser interface is utilized.

The user interface 220 provides the user with an easy-to-use mechanismfor accessing network connections. In one embodiment, when the userinterface 220 is visible, it provides a very easy-to-use format thatdisplays network connection types and provides other functionality tothe user. For example, during complex operations, such as connecting toa new network type, the user can simply select a single button withinthe user interface 220 and the client 102 will properly disconnect fromthe previous network, acquire the new network, perform allauthentication and policy-based requirements, and then allow the user tocontinue using an application on the new network. This simple,easy-to-use user interface 220, the complexity of which may be hiddenand completely automatic, allows a less-technical user to successfullyoperate the client 102. All network connection, authentication, securesign on, VPN parameters, and other aspects of the connection are managedby the user interface 220.

The client 102 shown in FIG. 2 also comprises a security agent 222. Insome embodiments, the security agent 222 is also referred to as a“bomb.” In one embodiment, an IT manager indicates that the securityagent 222 should be activated when the client 102 next connects to theenterprise server 106. The IT manager may do so because the client 102has been reported stolen. Subsequently, the client 102 connects to theenterprise server 106, either directly or indirectly and receives themessage to initiate the security agent 222.

In one embodiment, when the security agent 222 activates, it stops allapplications from being able to run and encrypts the data on the harddrive of the client 102. For instance, the security agent 222 mayimplement a white list as described above and then implement a securevault for all data on the client 102. The connection manager 210 mayalso be configured so that no connections are possible.

In one such embodiment, since the data is merely encrypted by securityagent 222, rather than erased, the data may be recovered if the client102 is subsequently recovered. For instance, the enterprise may retainthe key needed for decrypting the local drive. The client 102 isreturned to the enterprise, which then decrypts the drive. In anotherembodiment, the data on the local drive of the client is renderedinaccessible by, for example, writing over the data multiple times.

The client 102 shown in FIG. 2 also comprises an out-of-bandcommunication receiver 224. The out-of-band communication receiver 224allows the client to receive communications other than through anetwork-based connection. The connection manager 210 may manage theout-of-band communication. For instance, the command to activate thesecurity agent 222 may be transferred via a short messaging service(“SMS”) communication received by the out-of-band communication receiver224.

Security Server

FIG. 3 is a block diagram illustrating the modules present on a securityserver 104 in one embodiment of the present invention. The securityserver 104 shown in FIG. 3 comprises a remote authentication dial-inuser service (“RADIUS”) server 302, which may also be referred to as anAAA (authentication, authorization, and accounting) server. RADIUS isthe standard by which applications and devices communicate with an AAAserver.

The RADIUS server 302 provides authentication services on the securityserver 104. In some embodiments of the present invention, the RADIUSserver 302 proxies to a RADIUS server on the enterprise server 106. Inone embodiment, the RADIUS server 302 provides mutual authentication forthe client 102 using Extensible Authentication Protocol Transport LayerSecurity (“EAP-TLS”). Although EAP-TLS itself is strictly an 802.1xauthentication protocol, designed primarily for Wi-Fi connections, theunderlying TLS authentication protocol may be deployed in both wired andwireless networks. EAP-TLS performs mutual secured sockets layer (“SSL”)authentication. This requires both the client device 102 and the RADIUSserver 302 to have a certificate. In mutual authentication, each sidemay prove its identity to the other using its certificate and itsprivate key.

The security server shown in FIG. 3 also comprises an LDAP server 304.The LDAP server 304 uses the LDAP protocol, which provides a mechanismfor locating users, organizations, and other resources on the network.In one embodiment of the present invention, the LDAP server 304 providesaccess control at the network layer to various components that anenterprise customer may or may not purchase. For example, a customer maychoose to implement a secure vault as described in relation to FIG. 1.In such a case, the customer or users or groups associated with thecustomer are also associated with the firewall module. The LDAP entry isthen used to determine that the firewall is to be enabled on a client.

In some embodiments, the LDAP server 304 is implemented as a list ofuser identifiers not using the LDAP protocol. In another embodiment,data in the LDAP server 304 is propagated from data present in theenterprise server 106.

The security server 104 shown in FIG. 3 also comprises a session manager306. The session manager 306 controls sessions, including sessionsbetween the client 102 and enterprise server 106. In some embodiments,the session manager 306 also determines how to route data requests. Forinstance, the session manager 306 may determine that a particular datarequest should be routed to the Internet rather than to the enterpriseserver 106. This may be referred to as “splitting the pipe” and providesa mechanism to replace “split tunneling” (a traditional configurationoption with most standard VPN clients) at the client device by the moresecure split of traffic not intended for the enterprise at the securityserver, allowing monitoring of all traffic without the enterpriseincurring the expense of the extra bandwidth required.

In some embodiments, the client 102 and enterprise server 106 establisha VPN for communication. In such an embodiment, the session manager 306may be unable to route requests to any location other than theenterprise—the packets are encrypted and thus, cannot be separatelyevaluated.

In one embodiment, the session manager 306 performs automatedauthentication of a client device 102 or user. For example, if thesession manager 306 determines that a client 102 is approaching a Wi-Fihotspot, the session manager 306 is able to pre-populate the hotspotwith the certificate that the hotspot requires to authenticate the user.In this manner, the authentication appears very fast to the user. Thesession manager 306 may also control the manner in which data is queuedfor download to the client device 102.

In one such embodiment, the session manager 306 provides two modes fordata queuing. In a first mode, the session manager 306 determines thatthe network down time will be brief, e.g., the user is moving through atunnel, which interferes with network access. In such a case, thesession manager queues a minimal amount of data. In a second mode, thesession manager 306 determines that the network down time will be of alonger duration, e.g., the user is boarding a plane from New York toTokyo. In such a case, the session manager 306 may queue a larger amountof data. In one such embodiment, the session manager 306 determines themode by querying the user for the downtime interval. When the userreconnects to the security server 104, the session manager 306determines the best manner of downloading the queued data and begins thedownload.

In one embodiment, the session manager 306 comprises a packet shaper(not shown). The packet shaper provides various functional capabilitiesto the session manager 306. For example, in one embodiment, the packetshaper provides a mechanism for prioritizing packets sent between theenterprise server 106 and the client 102. In one embodiment, the packetshaper utilizes Multiprotocol Label Switching (“MPLS”). MPLS allows aspecific path to be specified for a given sequence of packets. MPLSallows most packets to be forwarded at the switching (layer 2) levelrather than at the (routing) layer 3 level. MPLS provides a means forproviding QoS for data transmissions, particularly as networks begin tocarry more varied traffic.

The session manager 306 may also provide session persistencecapabilities. For instance, in one embodiment, when a user drops aconnection or moves from one provider network coverage area to another,the connection manager 306 persists a virtual connection as the firstconnection is terminated and the second is initiated.

The session manager 306 may include a server-side rules engine. Theserver-side rules engine may use historical information, such as thesession statistics described above, for statistical attackdetermination. For instance, session manager 306 may access a storedstatistic regarding a client device 102 and based on monitoring of thecurrent statistics for the client device 102 determine that anunauthorized user is using the client device 102.

The security server 104 shown in FIG. 3 also comprises a real-timemonitor 308. The real-time monitor 308 monitors the status ofcommunications, such as which clients and users are logged on, theamount of data being transferred, ongoing QoS measures, ports in use,and other information.

When the real-time monitor 308 detects a problem, it may issue an alertto network support. In one embodiment, data from the real-time monitor308 is provided to users via a portal available on the security server308. In another embodiment, the real-time portal 308 transfersinformation to the enterprise server 106, from which users access thedata.

The embodiment shown in FIG. 3 also comprises a historical monitor 310.The historical monitor 310 provides information similar to the real-timemonitor 310. However, the underlying data is historical in nature. Forinstance, in one embodiment, the historical monitor 310 provides auditinformation for making intelligent business decisions and for dealingwith regulatory compliance issues.

The information available via the historical monitor 310 may include,for example, historical QoS data, registration compliance data, andmetrics consistency data. The historical data monitor 310 may be used todetermine that certain clients are not performing optimally by comparingmetrics of various clients over time. For instance, by evaluatinginformation available via the historical data monitor 310, a supportperson may be able to determine that a radio tuner on a specific clientdevice 102 is failing. If the user of one client device 102 iscomplaining about the availability of service, but other users are ableto successfully access service, then the client device's radio may bethe problem.

The historical data monitor 310 may also be used to reconcileinformation captured on the security server 104 regarding connectionsand data provided by telecommunication carriers. The data may be used todetermine when certain resources need to be increased and when a certaincarrier is not performing adequately.

The security server also comprises a database 312. In embodiments of thepresent invention, the database 312 may be any type of database,including, for example, MySQL, Oracle, or Microsoft SQL Serverrelational databases. Also, although the database 312 is shown as asingle database in FIG. 2, the database 312 may actually comprisemultiple databases, multiple schemas within one or more databases, andmultiples tables within one or more schemas. The database 312 may alsobe present on one or more other machines, e.g., database servers.

In one embodiment of the present invention, the database 312 storescustomer information regarding enterprises served by the security server104, such as a list of valid users, a list of valid cellular cards, therelationships between the individual users and groups within theenterprise, and other customer information.

For example, in one embodiment, the database 312 stores an associationbetween users and cellular data cards. The enterprise may allocate asingle user to a specific data card. Alternatively, the enterprise mayassociate a group of users with a group of cellular data cards. Othertypes of data may also be stored in the database 312, such as billingdata.

The security server 104 shown in FIG. 3 also comprises a QoS server 314.The QoS server 314 uploads information from the QoS collector 212 on theclient device 102 and stores the QoS data. The QoS server 314 cancollect data from multiple clients and store it in the database 312.

The security server also comprises a QoS tools engine 316. The QoS toolsengine 316 displays data made available by the QoS server 314 and otherprocesses, such as the real-time monitor 308.

In one embodiment, the QoS tools engine 316 provides an aggregation ofQoS data in a spreadsheet. In another embodiment, the QoS tools engine316 provides data using map views, pie charts, and graphs. The QoS toolsengine 316 may also provide the capability for setting QoS-based alarmsand may provide data to users via a portal.

In the embodiment shown in FIG. 3, the security server 104 alsocomprises a portal server 318. The portal server 318 may be, forexample, a web server. Any standard web server application may beutilized, including Microsoft® Internet Information Server (“IIS”) orApache.

Although the security server 104 shown in FIGS. 1 and 3 is illustratedas a single server, it may comprise multiple servers. For example, inone embodiment of the present invention, the security server 104comprises multiple regional servers.

Also, the description above suggests that data is provided to andqueried from the security server 104 by the client 102, i.e., the clientpulls the data. However, in some embodiments, the client 102 alsocomprises a listener (not shown) so that the security server 104 canpush data to the client 102.

Enterprise Server

FIG. 4 is a block diagram illustrating the modules present on anenterprise server 106 in one embodiment of the present invention. Theenterprise server 106 may also be referred to herein as a customerserver and may comprise one or more servers for one or more enterpriseslinked to one or more security servers 104.

The enterprise server 106 shown in FIG. 4 comprises a policy server 402.The policy server 402 provides a means for managing the policy rules,including, for example, available VPN profiles, available transports(e.g. Wi-Fi, LAN, PHS, Dialup), firewall rules, such as blacklists andwhite lists, connection rules, and antivirus rules. The policy server402 may include other rules as well, such as the level of datathrottling to perform for each client or group of clients. Datathrottling limits the data transfer rate to a particular client 102 sothat connection resources can be optimized.

The policies may be managed at one or more levels. For example, an ITmanager may wish to create a VPN profile for the enterprise as a whole,but a different VPN profile for an engineering group since theengineering group needs access to various unique applications.

The policy server 402 may also provide a mechanism for configuring thelocation of various servers that the client 102 will utilize. Forinstance, the policy server 402 may allow an IT manager to specify theIP address of an acceleration server 404 or a vault server 406

In one embodiment, the policy server also allows the IT manager tospecify which users receive updates for various components on the client102. The policy server 402 may also allow the IT manager to performconnection configuration. For instance, the IT manager may use thepolicy server to specify phone numbers for PHS connections, Wi-Fi SSID'sfor private connections, and other connection configuration information.

The enterprise server 106 shown in FIG. 4 also comprises an accelerationserver 404. The acceleration server 404 performs processes to improvethe performance of data transfer. For instance, the acceleration server404 may automatically compress images that are to be transferred to aclient 102.

In one embodiment, the acceleration server 404 communicates with thepolicy server 402. An IT manager sets acceleration rules using thepolicy server 402, and the acceleration server 404 uses these rules todetermine what level of acceleration to use for a particularcommunication. In one embodiment, the IT manager sets a default level ofacceleration for all communication and a specific level of accelerationfor one group of users. The specific level of acceleration may bereferred to as an override.

The enterprise server 106 also comprises a vault server 406. The vaultserver comprises two components, an automatic component and anadministration component. In one embodiment, the automatic componentintegrates with an enterprise's mail server (not shown) and performsoperations on emails to and from the mail server. For instance, thevault server 406 may quarantine an email, automatically encrypt theemail before it is sent, add a legal disclaimer to an email, or performother functions on the email.

In one embodiment, the automatic component of the vault server 406searches an email based on words or based on the domain or specificaddress to which the email is addressed or from which the emailoriginated. Using this information, the user can perform functions onthe email, such as those described above.

The administration component of the vault server 406 allows a user toterminate access to secure content, either by a specific user or by allusers. It also logs activity. Using one embodiment of the vault server406, a user can indicate that a set of users whose employment has beenterminated will no longer have access to any secure content. In analternative embodiment of the vault server 406, a user can indicate thata given element of secure content, say a price list, is now out of date,and so that piece of secure content will no longer be viewable by anyuser. When each user accesses the secure content, the vault server 406logs the event. So for each secure content element, the vault server 406creates a log of all activity on the secure content.

In one embodiment, the vault server 406 also compresses data. Forinstance, one embodiment utilizes standard PKZIP compression to compressall content. In another embodiment, an IT manager may identify threetypes of images and specify a different level of compression for eachtype of image based on the level of resolution necessary for each typeof image.

The enterprise server 108 also comprises a RADIUS server 408 and LDAPserver 410, which are similar to those described above in relation tothe security server 104. The RADIUS server 302 on the security server104 may proxy to the RADIUS server 408 on the enterprise server 106.Similarly, data in the LDAP server 410 may be propagated to the LDAPserver 204 on the security server 104.

The enterprise server 106 also comprises a one-time password (“OTP”)server 412. The OTP server 412 provides a mechanism for authentication.For instance, in one embodiment of the present invention, the enterpriseserver 106 uses the OTP server 412 to perform a mutual authenticationprocess.

The enterprise server 106 also comprises a concentrator 414. Theconcentrator 414 provides remote access capability to the client 102.For instance, the concentrator 414 may serve as a means for terminatinga VPN between the client 102 and enterprise server 106.

The enterprise server 104 shown in FIG. 4 also comprises a portal server416. The portal server 416 may comprise a standard web server, such asIIS or Apache. The portal server 416 may provide one or more portals.For example, in one embodiment, the portal server 416 provides twoportals, portal one and portal two.

Portal one provides a configuration interface for managing the variouselements shown in FIGS. 2 and 3, including, for example, the policyserver 402 and LDAP server 410. Portal two provides an interface foraccessing data, such as QoS data and session data.

For instance, a user may use historical QoS data on portal two todetermine how a particular provider is performing in terms ofthroughput, user connections, and other QoS metrics. Portal two may alsoprovide real-time information, such as how many users are currentlyconnected.

For instance, in one embodiment, an IT manager determines that twentyusers have been rejected by a carrier in the last three minutes due toauthentication failure and five users with the same user identifier arecurrently logged on to five different devices. The IT manager uses thisinformation to detect a potential security problem. Portal two may alsobe used to set alerts as described above.

It should be noted that the present invention may comprise systemshaving a different architecture than that which is shown in FIGS. 1through 4. For example, in some systems according to the presentinvention, the security server 104 and enterprise server 106 maycomprise a plurality of security and enterprise servers. The system 100shown in FIGS. 1 through 4 is merely illustrative, and is used to helpexplain the illustrative systems and processes discussed below.

Illustrative Methods of Enhanced Network Client Security

The following illustrative embodiments utilize a central policy server402 on an enterprise server 106. In one embodiment, the client device102 downloads security-related policies from the policy server 402 andthe connection manager 210 utilizes the policies to generate one of moresecurity models and applies the security models to connections. FIG. 5is a flowchart illustrating a process for applying a security model to anetwork connection in one embodiment of the present invention. In theembodiment shown, the connection manager 210 receives an indication thata network connection is established 502. For example, a user may click abutton on the user interface 220 to cause the connection manager 210 todisconnect from a first network connection and connect to a secondnetwork connection. The connection manager 210 is able to determine whenthe second connection has been successfully completed.

The connection manager 210 then determines the network type 504. If theconnection manager 210 established the second network connection, theconnection manager 210 may store the network type as part of the processof establishing the connection. In another embodiment, the connectionmanager 210 analyzes an existing connection to determine the networktype. The connection manager 210 may obtain other attributes of thenetwork, such as the speed, provider, reliability, and other attributes.The connection manager 210 may obtain the attributes by examining thenetwork or may obtain attributes of the network that have beenpreviously stored, such as performance metrics.

In the embodiment shown in FIG. 5, the connection manager 210 nextreceives a security-related policy associated with the user 506. Thesecurity-related policy may be downloaded from a centralized policymanagement data store. For example, in one embodiment, an administratorestablishes security-related policies in the policy server 402. Thepolicy reader 216 on the client 102 downloads policies from the policyserver 402. The connection manager 210 then receives thesecurity-related policies from the policy reader 216. The policies maybe in the form of an XML file, database, or other data store.

The connection manager 210 next determines a security model associatedwith the security-related policy 508. For instance, the connectionmanager 210 may determine that a particular level of firewall andanti-virus protection is required for the network type currentlyaccessed by the client 102. In one embodiment, the security model mayrequire that a VPN be established in order to use a particular networktype. In another embodiment, a particular white list or blacklist may berequired for the current network type. In other embodiments, eachsecurity model may comprise a different combination of firewall, VPN,anti-virus and other attributes, which can be used in combination toimplement a security-related policy.

Once the connection manager 210 determines the security model associatedwith the security-related policy, the connection manager 210 applies thesecurity model to the network connection 510. For instance, if aparticular level of firewall protection is necessary for the networktype utilized by the network connection, the connection manager 210causes the firewall to provide the requisite level of protection. In oneembodiment, if the anti-virus or firewall protection is insufficient tosupport the type of connection the client 102 is attempting to access,the connection manager 210 will not permit the connection to occur. Inone embodiment, the connection manager 510 utilizes one or more securitymodels to determine the most appropriate connection to utilize based ona security-related policy and connects automatically to that network. Inanother embodiment, the connection manager 210 disables or hidesconnections if the client does not have sufficient security components,e.g., the appropriate firewall, for establishing the connection.

In one embodiment, a component on the client device compares a user'sbehavior with the user's past behavior based on usage characteristics.If the present behavior and the past behavior differ significantly, thecurrent user may be identified as an unauthorized user, e.g., someonewho discovered the user's username and password. The process ofidentifying a user as invalid based on usage characteristics may bereferred to as statistical attack detection. FIG. 6 is a flowchartillustrating a process for statistical attack determination in oneembodiment of the present invention. In the embodiment shown, a sessionstatistics module 214 receives a first measure associated with a usagecharacteristic 502. The first measure may be, for example, a mean,median, maximum, minimum, or other summary measure of a usagecharacteristic. Each measure may comprise a plurality of measurements.In one embodiment, the measure is a code representing the history of ausage characteristic. For instance, in one embodiment, the measure isrelated to a keystroke sequence usage characteristic. The measure is acode indicating how often a particular keystroke sequence is used duringthe first five minutes a client 102 is connected to a network 108.

In embodiments of the present invention, the usage characteristic may bea characteristic that provides information about how a particular userutilizes a client 102. For example, in one embodiment, the usagecharacteristic comprises at least one usage characteristic selected fromthe group consisting of a uniform resource locator visited, anapplication launched, a number of systems calls per specified duration,a keystroke sequence, a system call, a processor utilization measure,and a memory utilization measure. In another embodiment, the usagecharacteristic comprises at least one usage characteristic selected fromthe group consisting of a traffic level associated with a connection, aprotocol used, and a port hit.

The session statistics module next receives a second measure associatedwith the usage characteristic 504. The second measure may be an actualmeasure of activity at a point in time. For instance, in one embodiment,the first measure is average processor utilization by a particular useron a particular client 102. The second measure is actual processorutilization at a point in time by the user on the client 102.

The session statistics module 214 compares the first measure and thesecond measure 608. The session statistics module 214 then determineswhether the first and second measures differ significantly 610. Forinstance, the session statistics module 214 may perform a statisticallinear regression on the measures collected for the user and client 102previously and the current measure.

If the measures differ significantly, the session statistics modulesignals an unauthorized access 612. For example, the session statisticsmodule 214 may send a signal to the enterprise server 106, indicating anunauthorized access. In another embodiment, the client device 102disconnects from the enterprise server 106 and does not allow the userto make any further network connections. Once the signal has been sentor a determination made that the measures do not differ significantly,the process ends 614.

In response to the indication, the enterprise server 106 may disable auser's access to confidential information. The enterprise server 106 mayalso disable a user's access to any network connections. In oneembodiment, the enterprise server 106 or security server 104 monitorsthe usage characteristics for particular users and causes their accessto be suspended if a potential attack is identified. Such a server-basedembodiment may rely on a subset of the data available to a client-basedembodiment.

In one embodiment of the present invention, the session statisticsmodule 214 uses measures of the usage characteristics to pre-loadapplications. For instance, if a user generally opens an email clientapplication as soon as the boot process on the client device 102 iscomplete, the session statistics module 214 may cause the application tobe pre-loaded, saving the user from having to manually start theapplication or explicitly add the application to a startup group.

General

The foregoing description of the embodiments of the invention has beenpresented only for the purpose of illustration and description and isnot intended to be exhaustive or to limit the invention to the preciseforms disclosed. Numerous modifications and adaptations thereof will beapparent to those skilled in the art without departing from the spiritand scope of the present invention.

1. A method comprising: receiving a security-related policy associatedwith a user; determining a security model associated with thesecurity-related policy; and applying the security model to a networkconnection on a client device.
 2. The method of claim 1, wherein thesecurity model comprises at least one rule.
 3. The method of claim 2,wherein the rule comprises a rule selected from the group consisting ofa firewall rule, an antivirus rule, and a virtual private network rule.4. The method of claim 1, wherein the security policy is associated witha connection type.
 5. The method of claim 4, wherein the connection typecomprises a connection type selected from the group consisting of Wifi,local area network, wide area network, wireless wide area network,personal handy network, dial-up, and satellite.
 6. The method of claim1, wherein the security policy comprises a secure zone and a non-securezone.
 7. The method of claim 1, wherein the user is associated with auser group.
 8. The method of claim 1, wherein receiving the securitypolicy comprises receiving the security policy from a policy server. 9.The method of claim 8, further comprising: creating a security policy;and associating the security policy with the user.
 10. A methodcomprising: receiving a first measure associated with a usagecharacteristic, the usage characteristic associated with a user;receiving a second measure associated with the usage characteristic;comparing the first measure and second measure; and determining thelikelihood that an unauthorized access has occurred based at least inpart on the comparison.
 11. The method of claim 10, wherein the usagecharacteristic comprises at least one usage characteristic selected fromthe group consisting of a uniform resource locator visited, anapplication launched, an number of systems calls per specified duration,a keystroke sequence, a system call, a processor utilization measure,and a memory utilization measure.
 12. The method of claim 10, whereinthe usage characteristic comprises at least one usage characteristicselected from the group consisting of a traffic level associated with aconnection, a protocol used, and a port hit.
 13. The method of claim 10,wherein comparing the first measure and second measure comprisesperforming a statistical linear regression.
 14. A computer-readablemedium on which is encoded program code, the program code comprising:program code for receiving a security-related policy associated with auser; program code for determining a security model associated with thesecurity-related policy; and program code for applying the securitymodel to a network connection on a client device.
 15. Acomputer-readable medium on which is encoded program code, the programcode comprising: program code for receiving a first measure associatedwith a usage characteristic, the usage characteristic associated with auser; program code for receiving a second measure associated with theusage characteristic; program code for comparing the first measure andsecond measure; and program code for determining the likelihood that anunauthorized access has occurred based at least in part on thecomparison.
 16. A system comprising: a policy reader operable todetermine a policy associated with a user; and a client security moduleoperable to: receive a security-related policy associated with a user;determine a security model associated with the security-related policy;and apply the security model to a network connection on a client device.17. A system comprising: a policy reader operable to determine a policyassociated with a user; and a unauthorized access detector operable to:receive a first measure associated with a usage characteristic, theusage characteristic associated with a user; receive a second measureassociated with the usage characteristic; compare the first measure andsecond measure; and determine the likelihood that an unauthorized accesshas occurred based at least in part on the comparison.